手動設定服務 Account 聯盟伺服器陣列Manually Configure a Service Account for a Federation Server Farm

本文內容

如果您想要在 Active Directory 同盟服務 (AD FS) 中設定伺服器聯盟農場環境，您必須建立和專用的服務 account 設定在 Active Directory Domain Services (AD DS) 發電廠所在的位置。If you intend to configure a federation server farm environment in Active Directory Federation Services (AD FS), you must create and configure a dedicated service account in Active Directory Domain Services (AD DS) where the farm will reside.您再每個聯盟中設定伺服器使用此帳號發電廠。You then configure each federation server in the farm to use this account.當您想要允許 client 驗證聯盟伺服器 AD FS 使用的 Windows 整合驗證的企業網路上的電腦時，您必須在組織中完成下列工作。You must complete the following tasks in your organization when you want to allow client computers on the corporate network to authenticate to any of the federation servers in an AD FS farm using Windows Integrated Authentication.

注意

您有伺服器整個聯盟陣列一次此程序中執行工作。You have to perform the tasks in this procedure only one time for the entire federation server farm.之後，當您使用 AD FS 聯盟伺服器設定精靈建立聯盟伺服器，您必須指定這個相同 account 在服務 Account頁面中每個聯盟伺服器發電廠精靈。Later, when you create a federation server by using the AD FS Federation Server Configuration Wizard, you must specify this same account on the Service Account wizard page on each federation server in the farm.

建立專用的服務 accountCreate a dedicated service account

建立專用的使用者 \ 日服務 account 位於組織的身分提供者 Active Directory 森林中。Create a dedicated user/service account in the Active Directory forest that is located in the identity provider organization.這個 account 才能 Kerberos 驗證通訊協定發電廠案例中工作，並在每個聯盟伺服器允許 pass\ 透過驗證。This account is necessary for the Kerberos authentication protocol to work in a farm scenario and to allow pass-through authentication on each of the federation servers.使用這個 account 只聯盟伺服器發電廠之目的。Use this account only for the purposes of the federation server farm.

編輯使用者 account 屬性，並選取 [密碼永久核取方塊。Edit the user account properties, and select the Password never expires check box.這個動作會確保此服務帳號的功能，不會中斷網域密碼變更要求的結果。This action ensures that this service account's function is not interrupted as a result of domain password change requirements.

注意

根據不到另一個驗證一部 Kerberos 門票存取嘗試透過 Windows 整合驗證時使用此專用 account 網路服務 account 會造成隨機錯誤。Using the Network Service account for this dedicated account will result in random failures when access is attempted through Windows Integrated Authentication, as a result of Kerberos tickets not validating from one server to another.

若要設定的服務 account SPNTo set the SPN of the service account

因為應用程式集區的 AD FS AppPool 為核對使用者 \ 日服務執行時，您必須設定該帳號服務主體名稱 (SPN) Setspn.exe command\ 列工具的網域中。Because the application pool identity for the AD FS AppPool is running as a domain user/service account, you must configure the Service Principal Name (SPN) for that account in the domain with the Setspn.exe command-line tool.執行 Windows Server 2008 的電腦上的預設會安裝 Setspn.exe。Setspn.exe is installed by default on computers running Windows Server 2008 .已加入使用者 \ 日服務 account 所在的相同網域的電腦上，執行下列命令：Run the following command on a computer that is joined to the same domain where the user/service account resides:

setspn -a host/<server name> <service account>

例如，在所有聯盟伺服器都叢集在網域名稱系統 (DNS) 主機名稱 fs.fabrikam.com 和服務 account 名稱指定給 AD FS AppPool 稱為 adfs2farm 案例，輸入命令，如下所示，，然後按 ENTER 鍵：For example, in a scenario in which all federation servers are clustered under the Domain Name System (DNS) host name fs.fabrikam.com and the service account name that is assigned to the AD FS AppPool is named adfs2farm, type the command as follows, and then press ENTER:

setspn -a host/fs.fabrikam.com adfs2farm

它是才能完成此帳號的此一次的工作。It is necessary to complete this task only once for this account.

AD FS AppPool 身分變更服務過去之後，設定存取控制清單 (ACLs) SQL Server 資料庫，讓讀取這個新帳號，AD FS AppPool 可讀取原則的資料。After the AD FS AppPool identity is changed to the service account, set the access control lists (ACLs) on the SQL Server database to allow Read access to this new account so that the AD FS AppPool can read the policy data.